дано:
Провайдер<->|модем в режиме роутера(192.168.3.1)|<->|(192.168.3.60)BSD(192.168.7.60)|->свитч
У сервака 192.168.7.250 на 8010 висит нужная мне вебморда.
Ее нужно пробросить в инет.
rc.firewall:
Код: Выделить всё
LanOut="rl0"
LanIn="re0"
NetIn="192.168.7.0"
IpOut="192.168.3.60"
IpIn="192.168.7.60"
NetMask="24"
${fwcmd} nat 1 config if ${LanOut} log redirect_port tcp 192.168.7.250:8010 8010
${fwcmd} add nat 1 tcp from any to ${IpOut} 8010 via ${LanOut}
${fwcmd} add allow tcp from any to 192.168.7.250 8010 via ${LanIn}
${fwcmd} nat 2 config if ${LanOut} log same_ports reset unreg_only
${fwcmd} add nat 2 all from ${NetIn}/${NetMask} to any out via ${LanOut}
${fwcmd} add nat 2 all from any to ${IpOut} in via ${LanOut}
${fwcmd} add allow tcp from any to any established
${fwcmd} add allow ip from ${IpOut} to any out xmit ${LanOut}
${fwcmd} add allow icmp from any to any icmptypes 0,8,11
${fwcmd} add allow tcp from any to any via ${LanIn}
${fwcmd} add allow udp from any to any via ${LanIn}
${fwcmd} add allow icmp from any to any via ${LanIn}
${fwcmd} add deny ip from any to any
Код: Выделить всё
freebsd# ipfw show
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 6 360 nat 1 tcp from any to 192.168.3.60 dst-port 8010 via rl0
00500 6 360 allow tcp from any to 192.168.7.250 dst-port 8010 via re0
00600 1182 140197 nat 2 ip from 192.168.7.0/24 to any out via rl0
00700 1134 437939 nat 2 ip from any to 192.168.3.60 in via rl0
00800 1312 409457 allow tcp from any to any established
00900 205 11480 allow ip from 192.168.3.60 to any out xmit rl0
01000 0 0 allow icmp from any to any icmptypes 0,8,11
01100 44 2160 allow tcp from any to any via re0
01200 1090 186937 allow udp from any to any via re0
01300 5 280 allow icmp from any to any via re0
01400 12 864 deny ip from any to any
65535 12 1440 allow ip from any to any